From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sat, 17 May 2025 00:03:18 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uG39C-006JOk-2x for lore@lore.pengutronix.de; Sat, 17 May 2025 00:03:18 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1uG39C-0003st-4b; Sat, 17 May 2025 00:03:18 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uG38o-0002dR-85; Sat, 17 May 2025 00:02:54 +0200 Received: from dude05.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::54]) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uG38n-0036WY-1y; Sat, 17 May 2025 00:02:54 +0200 Received: from mol by dude05.red.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1uG38o-000vf8-02; Sat, 17 May 2025 00:02:54 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Sat, 17 May 2025 00:02:53 +0200 Message-Id: <20250516220253.221647-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250513140641.4075870-3-ada@thorsis.com> References: <20250513140641.4075870-3-ada@thorsis.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [ptxdist] [APPLIED] u-boot: Add option to load signed kernel FIT images X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Alexander Dahl Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as a4c386b34b25fa0c838797a533fc716b46c80dc0. Michael [sent from post-receive hook] On Sat, 17 May 2025 00:02:53 +0200, Alexander Dahl wrote: > Requires U-Boot v2023.04 or later, certain options set in board config, > and KERNEL_FIT_SIGNED enabled. Algorithm "sha256,rsa4096" is hardcoded > to the same value as harcoded in ptxd_make_image_fit_its() which is used > by the kernel-fit package. > > With those premises met, U-Boot Verified Boot is possible. Tested with > U-Boot v2024.04 on Microchip SAM9X60-Curiosity in custom layer on top of > DistroKit-2024.06.0. > > Hit any key to stop autoboot: 0 > 8787737 bytes read in 391 ms (21.4 MiB/s) > ## Loading kernel from FIT Image at 22000000 ... > Using 'conf-microchip,sam9x60-curiosity' configuration > Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK > Trying 'kernel' kernel subimage > Description: kernel > Type: Kernel Image (no loading done) > Compression: uncompressed > Data Start: 0x220000b4 > Data Size: 8757936 Bytes = 8.4 MiB > Hash algo: sha256 > Hash value: 8c109fc75263329402c7ae63e3d47c18aabf67307ebc0023e88921227abc7cf3 > Verifying Hash Integrity ... sha256+ OK > ## Loading fdt from FIT Image at 22000000 ... > Using 'conf-microchip,sam9x60-curiosity' configuration > Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK > Trying 'fdt-microchip,sam9x60-curiosity' fdt subimage > Description: unavailable > Type: Flat Device Tree > Compression: uncompressed > Data Start: 0x2285a45c > Data Size: 27903 Bytes = 27.2 KiB > Architecture: ARM > Hash algo: sha256 > Hash value: db2e8047b404f92cc7ca4f7b918be1191aab3ce33d574f046c0f1da959d3cbb2 > Verifying Hash Integrity ... sha256+ OK > Booting using the fdt blob at 0x2285a45c > Working FDT set to 2285a45c > XIP Kernel Image (no loading done) to 220000b4 > Loading Device Tree to 27b31000, end 27b3acfe ... OK > Working FDT set to 27b31000 > > Starting kernel ... > > [ 0.000000] Booting Linux on physical CPU 0x0 > [ 0.000000] Linux version 6.6.0-tt (ptxdist@ptxdist) (arm-v5te-linux-gnueabi-gcc (OSELAS.Toolchain-2023.07.1 13-20231118) 13.2.1 20231118, GNU ld (GNU Binutils) 2.40) #2 PREEMPT 2024-06-07T12:29:46+00:00 > > Link: https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html > Signed-off-by: Alexander Dahl > Message-Id: <20250513140641.4075870-3-ada@thorsis.com> > Signed-off-by: Michael Olbrich > > diff --git a/platforms/u-boot.in b/platforms/u-boot.in > index 5ce7387e495d..d263135ca7e7 100644 > --- a/platforms/u-boot.in > +++ b/platforms/u-boot.in > @@ -7,6 +7,7 @@ config U_BOOT_DEPENDENCIES > menuconfig U_BOOT > select U_BOOT_DEPENDENCIES > select BOOTLOADER > + select CODE_SIGNING if U_BOOT_VERIFY_SIGNATURE > select HOST_SYSTEM_PYTHON3 > select HOST_OPENSSL if U_BOOT_NEEDS_HOST_OPENSSL > select HOST_GNUTLS if U_BOOT_NEEDS_HOST_GNUTLS > @@ -18,11 +19,11 @@ if U_BOOT > > config U_BOOT_VERSION > string > - default "2019.01" > + default "2023.04" > prompt "U-Boot version" > help > - Enter the U-Boot version you want to build. Usually something like > - "2019.01". > + Enter the U-Boot version you want to build. > + Usually something like "2019.01". > > config U_BOOT_MD5 > string > @@ -193,6 +194,29 @@ config U_BOOT_BOOT_SCRIPT_ROOTFS_PATH > > endif > > +config U_BOOT_VERIFY_SIGNATURE > + bool > + prompt "Verify FIT image signature" > + select U_BOOT_NEEDS_HOST_OPENSSL > + imply KERNEL_FIT_SIGNED > + help > + For U-Boot Verified Boot [1] a public key has to be put into > + the control dtb built with U-Boot. > + The loaded image (most probably a Linux Kernel image) must be > + signed with the matching private key. > + Uses the PTXdist Code Signing Infrastructure. > + > + Note: You need U-Boot 2023.04 or later. > + > + Note: You must enable CONFIG_TOOLS_FIT_SIGNATURE in U-Boot > + Kconfig for the necessary host mkimage features, and > + enable CONFIG_FIT_SIGNATURE, CONFIG_RSA, and > + CONFIG_ECDSA for runtime verification. > + Ensure you have _disabled_ CONFIG_LEGACY_IMAGE_FORMAT to > + not accidentally allow running unsigned images. > + > + [1] https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html > + > comment "target install" > > config U_BOOT_INSTALL_U_BOOT_BIN > diff --git a/rules/u-boot.make b/rules/u-boot.make > index 204475b7843b..d3ea65cf2a53 100644 > --- a/rules/u-boot.make > +++ b/rules/u-boot.make > @@ -120,6 +120,19 @@ endif > $(STATEDIR)/u-boot.compile: > @$(call targetinfo) > @$(call world/compile, U_BOOT) > +ifdef PTXCONF_U_BOOT_VERIFY_SIGNATURE > + @mv $(U_BOOT_BUILD_DIR)/u-boot.dtb $(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb > + @$(CODE_SIGNING_ENV) $(U_BOOT_BUILD_DIR)/tools/mkimage \ > + -f auto-conf -d /dev/null -r \ > + -g image-kernel-fit -N pkcs11 -o "sha256,rsa4096" \ > + -k "$(shell cs_get_uri image-kernel-fit)" \ > + -K "$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb" \ > + $(U_BOOT_BUILD_DIR)/unused.itb > +# # retrigger building dts/dt.dtb to use EXT_DTB, might stay as is otherwise > + @rm $(U_BOOT_BUILD_DIR)/dts/dt.dtb > + @$(call compile, U_BOOT, $(U_BOOT_MAKE_OPT) EXT_DTB=$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb) > +endif > + > ifdef PTXCONF_U_BOOT_BOOT_SCRIPT > @$(U_BOOT_BUILD_DIR)/tools/mkimage -T script -C none \ > -d $(U_BOOT_BOOT_SCRIPT_TXT) \